Personal notes on Linux operation and maintenance: special permission

1, Special permission SUID

  • We have learned the three common permissions of r (read), w (write) and x (execute), but when we query the system file permissions, we find that some other permission letters appear, such as:
ll /usr/bin/passwd
	-rwsr-xr-x. 1 root root 27832 Jun 10  2014 /usr/bin/passwd
	   ▲
#When a normal user -- > executes the -- > passwd command.
	#1. Because the passwd command has suid special permission (there is an s in the command ownership limit),
	#2. During the execution of the command, the command will be run as the owner of the command. < root	
  • Ordinary user -- > passwd -- > the command belongs to the primary identity root running -- > depends on the root identity -- > changes / etc/shadow password information
  • Example:
    By default, all ordinary users cannot view / etc/shadow. Is there any way to enable all ordinary users to view / etc/shadow.
su - xu 													#Switch to normal user
Last login: Sat Mar 14 00:54:53 CST 2020 on pts/0
$ cat /etc/shadow											#Ordinary user can't cat this file
cat: /etc/shadow: Permission denied
ll /usr/bin/cat												#View cat command permissions
-rwxr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
chmod 4755 /usr/bin/cat										#Give special permission SUID to cat command
#Or chmod u+s /usr/bin/cat
ll /usr/bin/cat												#View cat command permissions
-rwsr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
   ▲
$ cat /etc/shadow											#Use common user cat again
root:$6$z/ZkRi2of/59HbsT$pfSdItKyuq5/R6u0t4CzhapdU32fGc9d7Vxy6AKfJnU758IuBc/q4sIgY6w2aQHj6cE60GQbHLjx7.JiRl2/x0::0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::

2, Special permission SGID

  • Representation: an S (execution permission) s (no execution permission) is displayed on the group permission of the file

  • When a normal user executes the passwd command.
    1. Because the passwd command has SGID special permission (there is an s in the command group permission bit),
    2. During the execution of the command, the command will be run as a "group" of the command. Group root

  • File: ordinary user -- > passwd -- > the command belongs to group identity root is running -- > rely on root group identity -- > change / etc/shadow password information
    Directory: after setting the directory to sgid, if files are created in the directory, they will be consistent with the group to which the directory belongs
    suid runs the command program with the help of "owner"
    sgid runs the command program with the help of the identity of "group"

  • The application is:

ll /usr/bin/cat
-rwxr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
chmod 2755 /usr/bin/cat
#Or chmod u+s /usr/bin/cat
ll /usr/bin/cat
-rwxr-sr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
      ▲
  • sgid function:
    Using sgid makes it easy for multiple users to share all files in a directory.

3, Special permission SBIT

  • For directories:
    Once the directory is given a sticky position, except root, all files can be deleted. Even if ordinary users have w permission to the directory, they can only delete files created by themselves, but not files created by other users.
chmod 1755 /usr/bin/cat
#Or chmod o+t /usr/bin/cat
ll /usr/bin/cat
-rwxr-xr-t. 1 root root 54160 Oct 31  2018 /usr/bin/cat
		 ▲

4, Special properties

  • Permissions related
    For instance:
    1. I want to create a file and it is not allowed to be deleted. Not even root.
    2. I hope this file can only add data to it.
    The chattr command can be used only by the root user to modify the permission attribute of the file system and establish the authorization over the rwx basic permission.
  • chatrr + [+ - =] option + file or directory name
    Option: +: add permission
    -: reduce permissions
    =: equal to a permission
    a: Make files or directories appendable only
    i: Do not change files or directories at will
  • Example: to configure a file, you can't change it, you can only append it, you can't delete it
touch file					#create a file
lsattr file					#Query file system properties
	---------------- file
chattr +a file				#Assign special attributes to documents
lsattr file					#Query file system properties
	-----a---------- file
vim file					#Manual edit (failed)
echo '123' >>file			#Append text (success)
cat file
	123
rm -f file					#Delete file (failed)
	rm: cannot remove 'file': Operation not permitted,
#If you want to delete a file, you need to use root identity, cancel the attribute first, and then delete it

5, Default permission UMASK

  • 1. Why is the file permission created by default in the system 644 directory 755
    2. Why create a normal user by default, whose home directory permission is 700

    Reason:
    By default, the system specifies the permissions. Directory 777 file 666. Why are the created files and directories neither 777 nor 666?
    Because UMASK is controlled, for example, UMASK is set to 0022
    So the final files and directories created are
    Contents: 755
    File: 644

  • The default permission to create the home directory of ordinary users.

vim /etc/login.defs
	UMASK           077		#When creating a user, the UMASK set to 077
#777-077=700	
ll -d /home/u1
drwx------. 3 u1 grp1 78 Mar 13 01:30 /home/u1
#If I want to create a directory with permissions of 755, set UMASK to 022 in / etc/login.defs
  • By default, the file permissions created by root are different from those created by ordinary users:
  1. File created by root, the default is 644
  2. Files created by ordinary users, the default is 664

When a user logs in to the system, he will load some environment variables to initialize our working directory. (/etc/profile)

vim /etc/profile
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
    umask 002
else
    umask 022
fi
# Root: 0. Since your UID is not greater than 199, initialize your UMASK to 022
#Normal user: 1000 UID is greater than 199, and the group name is the same as the user name, so if the condition is true, UMASK is initialized to 002
#The default permissions of files and directories are given to UMASK. UMASK is set separately by a formula in / etc/profile when users log in to the system.
UMASK extension
  • When all bits of umask are even
    umask 044
    mkdir d044 directory permissions are 777 - 044 = 733
    The file permission of touch f044 is 666 - 044 = 622

  • When umask part bits are odd
    umask 023
    mkdir d023 directory permissions are 777 - 023 = 754
    The file permission of touch f023 is 666 - 023 = 643 + 001 = 644

  • When umask part bits are odd
    umask 032
    mkdir d032 directory permission is 777 - 032 = 745
    The file permission of touch f032 is 666 - 032 = 634 + 010 = 644

  • When all bits of umask value are odd
    umask 035
    mkdir d035 directory permissions are 777 - 035 = 742
    The file permission of touch f035 is 666 - 035 = 631 + 011 = 642

Published 14 original articles, won praise 9, visited 1684
Private letter follow

Tags: vim Attribute Permission denied

Posted on Tue, 17 Mar 2020 03:21:01 -0700 by ceanth